It is, theoretically at least, possible to install a rootkit that puts
the original system into a virtual machine and runs that. It's next to
impossible from within the VM to tell and the host rootkit could be
doing anything.
However, it's not something I'd be too concerned about. So far as I am
aware, this remains a theoretical exploit only - at worst, it might be
found in the lab. No such exploit has yet been found in the wild. It
would be *major* news if it had.